fix 'hardened' profile for NixOS 20.09

The 'scudo' memory allocator set by the 'hardened' profile breaks some
services on 20.09.
The fix for NixOS unstable (https://github.com/NixOS/nixpkgs/pull/104052)
is ineffective on 20.09.

As a workaround, add a custom 'hardened' preset that uses the default allocator.
This commit is contained in:
Erik Arvstedt 2020-12-16 18:57:57 +01:00
parent 44b06aea5a
commit c8e73c959e
No known key found for this signature in database
GPG Key ID: 33312B944DD97846
2 changed files with 15 additions and 6 deletions

View File

@ -9,8 +9,7 @@
# FIXME: The hardened kernel profile improves security but # FIXME: The hardened kernel profile improves security but
# decreases performance by ~50%. # decreases performance by ~50%.
# Turn it off when not needed. # Turn it off when not needed.
# Source: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix <nix-bitcoin/modules/presets/hardened.nix>
<nixpkgs/nixos/modules/profiles/hardened.nix>
# FIXME: Uncomment next line to import your hardware configuration. If so, # FIXME: Uncomment next line to import your hardware configuration. If so,
# add the hardware configuration file to the same directory as this file. # add the hardware configuration file to the same directory as this file.
@ -208,10 +207,6 @@
# FIXME: Add custom options (like boot options, output of # FIXME: Add custom options (like boot options, output of
# nixos-generate-config, etc.): # nixos-generate-config, etc.):
# If the hardened profile is imported above, we need to explicitly allow
# user namespaces to enable sanboxed builds and services.
security.allowUserNamespaces = true;
# This value determines the NixOS release with which your system is to be # This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database # compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you # servers. You should change this only after NixOS release notes say you

View File

@ -0,0 +1,14 @@
{
imports = [
# Source: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix
<nixpkgs/nixos/modules/profiles/hardened.nix>
];
## Reset some options set by the hardened profile
# Needed for sandboxed builds and services
security.allowUserNamespaces = true;
# The "scudo" allocator is broken on NixOS 20.09
environment.memoryAllocator.provider = "libc";
}